January 27, 2015

This morning, a leaked note from Qualys' external PR agency made us aware of GHOST. In this blog entry, our crack team of analysts examines the technical details of GHOST and makes a series of recommendations to better protect your enterprise from mishaps of this sort.

Figure 1: The logo of GHOST, courtesy of Qualys PR.

Internally, GHOST appears to be implemented as a lossy representation of a two-dimensional raster image, combining YCbCr chroma subsampling and DCT quantization techniques to achieve high compression rates; among security professionals, this technique is known as JPEG/JFIF. This compressed datastream maps to an underlying array of 8-bpp RGB pixels, arranged sequentially into a rectangular shape that is 300 pixels wide and 320 pixels high. The image is not accompanied by an embedded color profile; we must note that this poses a considerable risk that on some devices, the picture may not be rendered faithfully and that crucial information may be lost.

In addition to the compressed image data, the file also contains APP12, EXIF, and XMP sections totaling 818 bytes. This metadata tells us that the image has been created with Photoshop CC on Macintosh. Our security personnel notes that Photoshop CC is an obsolete version of the application, superseded last year by Photoshop CC 2014. In line with industry best practices and OWASP guidelines, we recommend all users to urgently upgrade their copy of Photoshop to avoid exposure to potential security risks.

The image file modification date returned by the HTTP server at community.qualys.com is Thu, 02 Oct 2014 02:40:27 GMT (Last-Modified, link). The roughly 90-day delay between the creation of the image and the release of the advisory probably corresponds to the industry-standard period needed to test the materials with appropriate focus groups.

Removal of the metadata allows the JPEG image to be shrunk from 22,049 to 21,192 bytes (-4%) without any loss of image quality; enterprises wishing to conserve vulnerability-disclosure-related bandwidth may want to consider running jhead -purejpg to accomplish this goal.

Of course, all this mundane technical detail about JPEG images distracts us from the broader issue highlighted by the GHOST report. We're talking here about the fact that the JPEG compression is not particularly suitable for non-photographic content such as logos, especially when the graphics need to be reproduced with high fidelity or repeatedly incorporated into other work. To illustrate the ringing artifacts introduced by the lossy compression algorithm used by the JPEG file format, our investigative team prepared this enhanced visualization:

Figure 2: A critical flaw in GHOST: ringing artifacts.

Artifacts aside, our research has conclusively showed that the JPEG formats offers an inferior compression rate compared to some of the alternatives. In particular, when converted to a 12-color PNG and processed with pngcrush, the same image can be shrunk to 4,229 bytes (-80%):

Figure 3: Optimized GHOST after conversion to PNG.

PS. Tavis also points out that ">_" is not a standard unix shell prompt. We believe that such design errors can be automatically prevented with commercially-available static logo analysis tools.

PPS. On a more serious note, check out this message to get a sense of the risk your server may be at. Either way, it's smart to upgrade.

Supraja, I think the point here is that the only thing that is worth mentioning about this vulnerability is the gross incompetence of the graphics designer. The vuln itself is pretty much a non-issue. You should also consider that the CVE was registered on 2014-11-18, 45 days after the logo upload, which reveals how important Qualis thought this is... :)We call this cheap marketing. I would have loved to seen an advisory by qualys about Reverse Hearthbleed, how fast they patched and if they observed exploitation of their own scanners - remember that the client was just as vulnerable as the server.

The vuln is pretty interesting, although in terms of impact, probably not exceptional. That said, to their credit, Qualys folks have researched it pretty thoroughly and posted a pretty good report to oss-security@ and other mailing lists. But it is a bit disconcerting that PR factors into vulnerability disclosure so heavily.

Sorry, John Lane, but it seems you do not really know how the CVE system works; you should have studied more carefully what https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 says about the date 20141118: "Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."

You should contact Kurt Seifried, who issues CVE-IDs at Red Hat, and ask him when CVE-2015-0235 was assigned to the GHOST bug (which at that time had no name at all, because no one had thought of the "GHOST" pun yet). The answer is Sunday, 18 January, 2015; but please, you should ask him directly, because every information or theory should always be double-checked before it is published.

As for the alleged GHOST logo Last-Modified date ("Thu, 02 Oct 2014"), it was already explained in the oss-security mailing-list that it has absolutely nothing to do with the discovery or disclosure of the bug. But since this blog entry seems to be the source of inspiration for many sheeple (who apparently don't get Mr. Zalewski's sense of humor), here's the link: http://seclists.org/oss-sec/2015/q1/292